1 files changed, 47 insertions, 21 deletions

diff --git a/net/bluetooth/l2cap.c b/net/bluetooth/l2cap.c
index 1120cf14a548..9753b690a8b3 100644
--- a/net/bluetooth/l2cap.c
+++ b/net/bluetooth/l2cap.c
@@ -40,6 +40,8 @@
 #include <linux/skbuff.h>
 #include <linux/list.h>
 #include <linux/device.h>
+#include <linux/debugfs.h>
+#include <linux/seq_file.h>
 #include <linux/uaccess.h>
 #include <linux/crc16.h>
 #include <net/sock.h>
@@ -1000,7 +1002,8 @@ static int l2cap_sock_connect(struct socket *sock, struct sockaddr *addr, int al
 
         BT_DBG("sk %p", sk);
 
-        if (!addr || addr->sa_family != AF_BLUETOOTH)
+        if (!addr || alen < sizeof(addr->sa_family) ||
+            addr->sa_family != AF_BLUETOOTH)
                 return -EINVAL;
 
         memset(&la, 0, sizeof(la));
@@ -1368,7 +1371,6 @@ static int l2cap_ertm_send(struct sock *sk)
 
         while ((skb = sk->sk_send_head) && (!l2cap_tx_window_full(sk)) &&
                !(pi->conn_state & L2CAP_CONN_REMOTE_BUSY)) {
-                tx_skb = skb_clone(skb, GFP_ATOMIC);
 
                 if (pi->remote_max_tx &&
                                 bt_cb(skb)->retries == pi->remote_max_tx) {
@@ -1376,6 +1378,8 @@ static int l2cap_ertm_send(struct sock *sk)
                         break;
                 }
 
+                tx_skb = skb_clone(skb, GFP_ATOMIC);
+
                 bt_cb(skb)->retries++;
 
                 control = get_unaligned_le16(tx_skb->data + L2CAP_HDR_SIZE);
@@ -1622,7 +1626,10 @@ static int l2cap_sock_sendmsg(struct kiocb *iocb, struct socket *sock, struct ms
         /* Connectionless channel */
         if (sk->sk_type == SOCK_DGRAM) {
                 skb = l2cap_create_connless_pdu(sk, msg, len);
-                err = l2cap_do_send(sk, skb);
+                if (IS_ERR(skb))
+                        err = PTR_ERR(skb);
+                else
+                        err = l2cap_do_send(sk, skb);
                 goto done;
         }
 
@@ -2829,6 +2836,11 @@ static inline int l2cap_config_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr
                         int len = cmd->len - sizeof(*rsp);
                         char req[64];
 
+                        if (len > sizeof(req) - sizeof(struct l2cap_conf_req)) {
+                                l2cap_send_disconn_req(conn, sk);
+                                goto done;
+                        }
+
                         /* throw out any old stored conf requests */
                         result = L2CAP_CONF_SUCCESS;
                         len = l2cap_parse_conf_rsp(sk, rsp->data,
@@ -3518,7 +3530,6 @@ static inline int l2cap_data_channel(struct l2cap_conn *conn, u16 cid, struct sk
         struct l2cap_pinfo *pi;
         u16 control, len;
         u8 tx_seq;
-        int err;
 
         sk = l2cap_get_chan_by_scid(&conn->chan_list, cid);
         if (!sk) {
@@ -3570,13 +3581,11 @@ static inline int l2cap_data_channel(struct l2cap_conn *conn, u16 cid, struct sk
                         goto drop;
 
                 if (__is_iframe(control))
-                        err = l2cap_data_channel_iframe(sk, control, skb);
+                        l2cap_data_channel_iframe(sk, control, skb);
                 else
-                        err = l2cap_data_channel_sframe(sk, control, skb);
+                        l2cap_data_channel_sframe(sk, control, skb);
 
-                if (!err)
-                        goto done;
-                break;
+                goto done;
 
         case L2CAP_MODE_STREAMING:
                 control = get_unaligned_le16(skb->data);
@@ -3602,7 +3611,7 @@ static inline int l2cap_data_channel(struct l2cap_conn *conn, u16 cid, struct sk
                 else
                         pi->expected_tx_seq = tx_seq + 1;
 
-                err = l2cap_sar_reassembly_sdu(sk, skb, control);
+                l2cap_sar_reassembly_sdu(sk, skb, control);
 
                 goto done;
 
@@ -3939,29 +3948,42 @@ drop:
         return 0;
 }
 
-static ssize_t l2cap_sysfs_show(struct class *dev, char *buf)
+static int l2cap_debugfs_show(struct seq_file *f, void *p)
 {
         struct sock *sk;
         struct hlist_node *node;
-        char *str = buf;
 
         read_lock_bh(&l2cap_sk_list.lock);
 
         sk_for_each(sk, node, &l2cap_sk_list.head) {
                 struct l2cap_pinfo *pi = l2cap_pi(sk);
 
-                str += sprintf(str, "%s %s %d %d 0x%4.4x 0x%4.4x %d %d %d\n",
-                                batostr(&bt_sk(sk)->src), batostr(&bt_sk(sk)->dst),
-                                sk->sk_state, __le16_to_cpu(pi->psm), pi->scid,
-                                pi->dcid, pi->imtu, pi->omtu, pi->sec_level);
+                seq_printf(f, "%s %s %d %d 0x%4.4x 0x%4.4x %d %d %d\n",
+                                        batostr(&bt_sk(sk)->src),
+                                        batostr(&bt_sk(sk)->dst),
+                                        sk->sk_state, __le16_to_cpu(pi->psm),
+                                        pi->scid, pi->dcid,
+                                        pi->imtu, pi->omtu, pi->sec_level);
         }
 
         read_unlock_bh(&l2cap_sk_list.lock);
 
-        return str - buf;
+        return 0;
+}
+
+static int l2cap_debugfs_open(struct inode *inode, struct file *file)
+{
+        return single_open(file, l2cap_debugfs_show, inode->i_private);
 }
 
-static CLASS_ATTR(l2cap, S_IRUGO, l2cap_sysfs_show, NULL);
+static const struct file_operations l2cap_debugfs_fops = {
+        .open           = l2cap_debugfs_open,
+        .read           = seq_read,
+        .llseek         = seq_lseek,
+        .release        = single_release,
+};
+
+static struct dentry *l2cap_debugfs;
 
 static const struct proto_ops l2cap_sock_ops = {
         .family         = PF_BLUETOOTH,
@@ -4021,8 +4043,12 @@ static int __init l2cap_init(void)
                 goto error;
         }
 
-        if (class_create_file(bt_class, &class_attr_l2cap) < 0)
-                BT_ERR("Failed to create L2CAP info file");
+        if (bt_debugfs) {
+                l2cap_debugfs = debugfs_create_file("l2cap", 0444,
+                                        bt_debugfs, NULL, &l2cap_debugfs_fops);
+                if (!l2cap_debugfs)
+                        BT_ERR("Failed to create L2CAP debug file");
+        }
 
         BT_INFO("L2CAP ver %s", VERSION);
         BT_INFO("L2CAP socket layer initialized");
@@ -4036,7 +4062,7 @@ error:
 
 static void __exit l2cap_exit(void)
 {
-        class_remove_file(bt_class, &class_attr_l2cap);
+        debugfs_remove(l2cap_debugfs);
 
         if (bt_sock_unregister(BTPROTO_L2CAP) < 0)
                 BT_ERR("L2CAP socket unregistration failed");